Legend:

Some bugs affect Tor, but are '''upstream bugs''', not bugs in Tor itself: they include bugs in external libraries, like OpenSSL, Libevent, or zlib; bugs in an operating system's kernel; or bugs in upstream Firefox affecting TorBrowser. When we become aware of an "upstream" issue like this, we will coordinate with the upstream developers to find and deploy an appropriate fix, in accordance with their own security processes.

122

122

123

Finally, ''the above categories are approximation only''; difficulty of exploitation and other public factors may increase or decrease the security of an issue.

123

Finally, ''the above categories are approximation only''; difficulty of exploitation, degree of impact, rarity of configuration, and other public factors may increase or decrease the security of an issue.

124

124

125

125

[TODO: Compare the above list with the categories in our bug bounty program.]